|October 14, 2013|
Previously published on October 11, 2013
In a 2012 Corporate Board Member/FTI Consulting survey, 48 percent of public company directors and 55 percent of corporate general counsels rated data security as their number one concern. According to the Department of Homeland Security, 85 percent of U.S. critical infrastructure is privately owned and operated. As such, it is essential that corporate boards understand the government’s efforts to manage cybersecurity threats and factor them into their own risk management plans.
Legislation and Executive Order
In early 2012, the Senate introduced legislation that applied mandatory cybersecurity standards to owners and operators of critical infrastructure. However, the bill failed in the face of strong opposition from key senators, privacy advocates, and the U.S. Chamber of Commerce. A revised version of the bill also failed.
In February 2013, President Obama issued an Executive Order directing the National Institute of Standards and Technology to work with critical infrastructure owners and operators in developing a “Cybersecurity Framework” that captures industry best practices to reduce cyber risks to critical infrastructure, a draft of which was released on August 28. Under the Executive Order, the Secretary of Homeland Security is tasked with establishing a “voluntary program” for implementation of the Cybersecurity Framework in the critical infrastructure industries, and developing incentives to encourage participation in the program by those industries, as well as others. Given the breadth of the Executive Order, Congress appears disinclined to revisit its debate over comprehensive legislation.
The SEC’s Division of Corporation Finance issued guidance in October 2011 explaining when companies should disclose cybersecurity risks and cyber incidents in their federal securities filings. In a May 2013 letter to Congress, SEC Chairman Mary Jo White stated that this guidance has had a “positive impact on companies’ disclosures”, and that she has directed SEC staff to provide her with recommendations on whether further action is necessary.
The Federal Trade Commission (FTC) is incentivizing corporate cybersecurity by adopting an aggressive interpretation of its jurisdiction to bring enforcement actions against those guilty of inadequate cyber protections. The FTC contends that a company’s failure to provide adequate cybersecurity for its customers’ personally identifiable information is an “unfair business practice” chargeable under section 5(a) of the Federal Trade Commission Act. The FTC has advanced this theory through investigations of, and enforcement actions against, companies that have suffered data breaches resulting in the loss of consumer information. Such targets have included ChoicePoint, Dave & Buster’s, Inc. and HTC America, to name a few. While some, such as the U.S. Chamber of Commerce and former Secretary of Homeland Security Michael Chertoff, have questioned the FTC’s expansive enforcement theory, until recently all companies charged under this theory have agreed to settle with the FTC. In May 2013, Wyndham Worldwide Corporation became the first to challenge the FTC’s jurisdiction to bring such an action when it moved to dismiss an FTC claim arising out of the breach of Wyndham’s systems and the theft of consumer payment card account information resulting in $10.6 million in fraud losses. Wyndham’s motion to dismiss remains pending.
Corporate boards - especially of companies that own and operate critical infrastructure - must understand and account for the implications of these developments. For example, companies must consider their role in the “voluntary program” being developed under the authority of the President’s Executive Order and the potential litigation risk if they choose not to meet the resulting voluntary standards. Corporate boards must also be aware of the SEC disclosure obligations with respect to cyber risk and intrusions, not to mention the possibility of an FTC enforcement action if they suffer a data breach. Even more fundamentally, corporate boards must appreciate that they have a fiduciary duty to protect and ensure the integrity of corporate information assets against cyber theft and attack. With the increasing legal obligations and challenges stemming from the cyber threat to corporate America, directors and officers would be wise to take an active role in developing, overseeing, and managing corporate cybersecurity compliance programs within their companies.